Configuring SAML 2.0 for Single Sign-On (SSO)

by Skilljar SSE Team
Follow

Security Assertion Markup Language 2.0 (SAML 2.0) can be used as a single sign-on (SSO) method for your courses, which can be managed on your training site. In this article, we'll explain how to set up SAML 2.0 for SSO, as well as how it works, and where you can find the information you’ll need to provide us to help complete your setup. 

For general SAML SSO troubleshooting and examples of common errors, please see SAML Single Sign-on (SSO) - Common Errors & Troubleshooting.

Contents

Overview

Skilljar supports the use of SAML single sign-on (SSO) to allow users to access your training platform. By using the SAML 2.0 as an SSO method, Skilljar acts as a SAML Service Provider (SP) and will rely on your SAML Identity Provider (IdP) to authenticate your users by creating a trusted network between the two. 

When enabled, your users will no longer see the native Skilljar sign-in/sign-up pages, and will instead be redirected to your configured SingleSignOnService web address. If they attempt to log into Skilljar first, they are redirected to your SAML server for authentication, and then redirected again back to Skilljar and automatically signed in. 

  • Note: Your SAML SSO and authentication are usually set up and managed by your IT team.

SAML Identity Provider (IdP) vs Service Provider (SP)

An identity provider (IdP) authenticates the user who is attempting to log in, confirming they are who they say they are, and then sends that data to the service provider (SP) along with the user’s access rights. All IdP authentication is performed on your side. You may also use a third-party platform such as Salesforce as your IdP. 

A SAML service provider (SP) is the system that receives and accepts the sign-in authentication and then grants access to the user. The SP relies on the information provided by the IdP to be completely accurate in order to complete the authorization. In this case, the SP is Skiljar, as we receive the information to allow users to log in to your Skilljar training platform.

Setup

The setup and management your training site to use SAML 2.0 for SSO will require working with your dedicated Implementation Manager, CSM, or Skilljar Support.

To get started, you'll need to provide the following Identity Provider settings to Skilljar. This information is typically included in your IdP Metadata XML file (see the image below), which you can send to us.

The XML file should look like this (the information in this example has been redacted for security purposes). You can view the XML information by using a text editor, such as Notepad. 

  • Note: The white boxes in the below image examples include redacted information and won't be included in your XML file. 

Screen_Shot_2022-07-20_at_3.44.32_PM.png

This is the information to look for within the latest version of your XML file.

Note: URL = web address

  • IdP x509 Certificate - This is usually a large code, which you can find within the <X509Data> and <X509Certificate?> containers, as seen in the image below.

    Screen_Shot_2022-07-20_at_2.50.00_PM.png

  • IdP Entity ID (Also referred to as the Issuer) - You can find this at the top of your XML file after the <EntityDescriptor container.

    Screen_Shot_2022-07-20_at_2.45.45_PM.png

  • IdP SingleLogoutService URL (Optional the IdP's SLO URL, which we'll make a SAML logout request to when the user signs out of Skilljar). This information is usually below the x509 certificate

    Screen_Shot_2022-07-20_at_3.25.57_PM.png

  • IdP SingleSignOnService URL (The SP Initiated Login URL) - This information is found below the SingleLougoutService section. We’ll use this URL to make a SAML login request when the user signs into Skilljar.

    Screen_Shot_2022-07-20_at_3.17.18_PM.png

  • SAML Assertion Attribute Names (The attribute names as they will appear in the SAML Assertion) - This is usually the last section of the XML file. You can find the attribute names, as seen in the image below. These include: 
    • First name / Given Name
    • Last name / Surname
    • Email

Screen_Shot_2022-07-20_at_3.38.37_PM.png

  • Note: It is important that all of the information you provide us matches exactly what is in the most current version of your XML file.

Once your domain is configured with the settings you've provided above and SSO is enabled, you can find the SP settings in the SP Metadata XML file, which you can download from the Domains Settings page of the relevant domain in your Skilljar Dashboard, under SSO Configuration. Select the XML button to download the file.

xmldownload.png

Similar to the IdP XML file, your SP Metadata XML file will include this information:

  • SP Entity ID (This will be your training site web address, for example, https://example.company.com/. Note, the slash (/) at the end of the dress is required)
  • SP x509 Certificate (Optional, used to verify the SP’s request signature)
  • AssertionConsumerService URL (Your training site's unique endpoint where the IdP will send the SAML Assertion)
  • SingleLogoutService URL (Optional, when SLO is initiated by the IdP, this is your Skilljar training site's unique logout web address, which can be managed in your IdP to make a GET request to log the user out from Skilljar.)
  • NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

Note: Skilljar requires the Assertion of the Response to be signed.

How it Works

SAML 2.0 is an XML-based SSO standard for authentication involving two parties:

  • The Service Provider (in this case, your Skilljar training site)
  • Your Identity Provider (IdP).

With SAML 2.0 on your domain, Skilljar (the Service Provider) relies on the IdP to authenticate your users, and if successful, the IdP sends a SAML assertion (including the user’s identity) to Skilljar. Here are the two ways SAML 2.0 works as an SSO standard:

Service Provider Initiated Sign On

In this example, the user begins the SSO flow from the Service Provider (your Skilljar training site):

  1. On sign-in, Skilljar redirects the browser sending a SAML request to the SingleSignOnService URL where the user will be asked to sign in if they aren’t already authenticated
  2. On successful sign-in, the Identity Provider will then redirect a SAML assertion (including the user’s identity) back to Skilljar (specifically, the configured AssertionConsumerService URL)
  3. Skilljar will then analyze and process the SAML Assertion and sign the user into your training site

SAML_2.0__SP_Initiated_SignOn__1_.png

Identity Provider Initiated Sign-On

In this example, authenticating into the Service Provider (your Skilljar training site) begins in the Identity Provider. In this explanation, the user is already authenticated with the Identity Provider.

  1. The user will typically click on a link within your Identity Provider, which is the IdP Initiated SSO web address specific to the Service Provider. The Identity Provider generates the SAML Assertion (including the user’s identity) and sends it back to Skilljar (specifically, the AssertionConsumerService URL).
  2. Skilljar will then analyze and process the SAML Assertion and sign the user into your training site.

SAML_2.0__IdP_Initiated_SignOn__1_.png

Troubleshooting

For general SAML SSO troubleshooting and examples of common errors, please see SAML Single Sign-on (SSO) - Common Errors & Troubleshooting.

Salesforce Integration

You can also manage various SAML 2.0 for SSO settings for your Salesforce integration, such as changing the session inactivity timeout period. For more information, please see the Salesforce help center article.

 

Need Support? 

If you have issues or questions about Skilljar and your training site, please don't hesitate to reach out to Skilljar Support. The more information you can provide to us, the better we can help, so please send us screenshots, test logins, HAR files and anything you feel will help.

Powered by Zendesk